Google: Windows 10 patches put Windows 7 users in danger

Although focusing on Microsoft and Windows, Google encourages all vendors to apply security patches consistently across all supported versions of their software.

Image: ZDNet

Google's Project Zero researcher Mateusz Jurczyk has gone into the gory details of several Windows bugs he found to illustrate that Microsoft should fix the same bugs in Windows 7 as it does in Windows 10.

Microsoft is essentially leaving clues for hackers when it patches Windows 10, but not Windows 7, argues Jurczyk.

That's because hackers can use a technique called 'binary diffing' to analyze fixes in a modern product and pinpoint weaknesses in the older product.

The technique lends itself to Windows 7, Windows 8, and Windows 10, which are a perfect example of concurrently supported branches of a single product that share the same core code, but are patched and improved differently.

As the researcher explains, the ability to use binary diffing is a problem in particular for the security of Windows 7 users, which account for half of all Windows users, because attackers know that Microsoft adds better security and sometimes even bug fixes only to the latest version of Windows.

"This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows," he writes.

"Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security," Jurczyk continues later.

One example was the bug CVE-2017-8680, which affected Windows 8.1 and Windows 7, but curiously not Windows 10. Project Zero reported it to Microsoft in May and it was fixed in Microsoft's September Patch Tuesday update.

On discovering the bug, the researcher identified the relevant patch in Windows 10 and realized that Microsoft hadn't backported it to earlier versions.

After running more comparisons between Windows 7 versus Windows 10 and Windows 8.1 versus Windows 10, he found two more vulnerabilities, CVE-2017-8684 and CVE-2017-8685, in the Windows 7 and Windows 8.1 kernels. These were also patched in September.

Jurczyk reckons the diffing process he used to find these kernel issues would not require much expertise or knowledge of Windows.

"It could have been easily used by non-advanced attackers to identify the three mentioned vulnerabilities with very little effort," he writes.

"We hope that these were some of the very few instances of such low-hanging fruit being accessible to researchers through diffing, and we encourage software vendors to make sure of it by applying security improvements consistently across all supported versions of their software."